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Abstract 

Launching a rocket, running a business, driving to work and even day-to-day living all involve some degree of risk. 
Risk is ever present yet not always recognized, adequately assessed and appropriately mitigated. Identification, 
assessment and mitigation of risk are elements of the risk management component of the “continuous improvement” 
way of life that has become a hallmark of successful and progressive enterprises. While the application of risk 
management techniques to provide continuous improvement may be detailed and extensive, the philosophy, ideals 
and tools can be beneficially applied to all situations. Experiences with the use of risk identification, assessment and 
mitigation techniques for complex systems and processes are described. System safety efforts and tools used to 
examine potential risks of the Ares I First Stage of NASA’s new Constellation Crew Launch Vehicle (CLV) 
presently being designed are noted as examples. Recommendations from lessons learned are provided for the 
application of risk management during the development of new systems as well as for the improvement of existing 
systems. Lessons learned and suggestions given are also examined for applicability to simple systems, 
uncomplicated processes and routine personal daily tasks. This paper informs the reader of varied uses of risk 
management efforts and techniques to identify, assess and mitigate risk for improvement of products, success of 
business, protection of people and enhancement of personal life. 

Introduction 


Launching a rocket, running a business, flying in an airplane, operating machinery, driving to work, even crossing 
the street all involve some degree of risk. Indeed, life itself is risky business as all of us run the risk of dying of old 
age if nothing else “gets us” first. Risk, defined as “the possibility of suffering harm or loss” (ref. 1), is ever present 
to some extent in everything we do, yet we do not always recognize what risks we face. Sometimes we recognize 
risk but fail to take steps to mitigate that risk even though the consequences may be significant. Recent events 
relevant to economic conditions remind us of the financial risks to individuals, corporations, governments and even 
insurance institutions that exist for the mitigation of potential risk. As each risk we face has the two components of 
uncertainty and loss (ref. 2), we should structure our efforts to lessen either or both components thereby improving 
the odds we can avoid the potential resultant loss or harm. 

Risk management is the structure for dealing with risk, be it intentional and involved or subconscious and simple. 
Risk management is "a discipline for living with the possibility that future events may cause adverse effects” (ref. 
3). To persons in different situations, risk management takes on a different emphasis, yet the basics are the same. 
Those in the financial industry have traditionally used sophisticated techniques including processes like currency 
hedging and interest rate swaps. A project manager’s effort includes a focus on assuring the accurate tracking of 
schedules and costs to assure a project ison time and within budget. In the insurance industry, risk management is 
accomplished by coordination of insurable risks and reduction of expenses. Safety professionals work to reduce 
accidents and injuries on the job. Engineers designing rockets for manned space flight design with risk in mind 
seeking to eliminate or mitigate risk before beginning to build. Continuous risk management (CRM) then is risk 
management for risks that are assessed on an ongoing basisand used for decision making in all phases of aproject. 
CRM carries the risk forward and deals with it until it is resolved or until it turns into a problem with subsequent 
loss (ref. 4). With risks present at all times in every aspect of life, the implementation of the principles of CRM 
improves our odds of success and avoidance of problems by reducing the likelihood of occurrence and/or the 
severity of consequences of suffering harm or loss. 



Elements of the CRM Process 


Improving our odds for success with CRM involves the continual use of the steps: identify, analyze, plan, track and 
control all the while communicating the risk (Figure 1). 


• Identify-findtherisksbeforetheycanbecomeproblemsandresultinlossorharm. A process of realizing 
the uncertainty for loss or harm 

o Capture the statement of risk in away it can be described and measured 

■ Given the (condition) there is a potential that (risk) could result in (consequence) . . . 

o Capture the context of risk 

■ Include additional information relevant to the circumstances surrounding the identified 


o Communicate the identified risk 

• Analyze- process of examining the risk in order to tell the potential extent, severity and likelihood 
o Eval uate the attri butes of ri sks 

■ Impact 

■ Probability 

■ Timeframe 
o Classify the risks 

■ Grouping of risks based on similar characteristics 

o Prioritize the risks 

■ Ranking of risks to define those most significant or those that need the most attention 
o Communicate the results or status of the analysis 

• PI an - deci de what to do wi th ri sks and how to go about doi ng i t 

o Plan risk mitigation activities 
o Assign responsibilities 

o Communicate what is happening with the risk and how it is going 

• T rack - f ol I ow the ri sk and the assi gned ri sk responsi bilities, collect more i nf ormati on 

o Monitor therisk and all related actions 
o Provide status reports 

o Communicate information relative to the progress of therisk 

• Control - executing the risk mitigation activities that will reduce risks to levels where the uncertainties 
(likelihood) and potential loss (severity) are reduced to an acceptable level 

o I mpl ement the control s 

o Monitor the controls 

o Communicate the effectiveness of the controls 



Plan 


Figure 1 - CRM Process (ref. 5) 


risk 


Communication is the centerpiece that holds the CRM process together. It is present in each of the steps and, as 
Figure 1 depicts, it holds all of the steps together as a central hub. Without communication, the process quickly 
loses value (ref. 6). 


A ppl i cati on of the CRM Process i n the Si mpl e and the Compl ex 

The philosophy and ideals of CRM can be beneficially applied to all situations. While the application of risk 
management techniques may be detailed and extensive for complex systems, application of some or all of the 
principles of CRM are often applied in our every-day lives without realizing we are doing so. 

A Very Simple. Real Life Example Provides an Illustration of Improving the Odds With CRM: A mother identifies 
that given the proximity of a nearby street, there is a potential for her little child to run into that street with the 
subsequent possibility the child could be struck by a passing vehicle resulting in severe injury or death. In an 
instant, the mother analyzes the situation and, with concern for the safety of the child, determines the chi Id must be 
kept from the street. The mother acts immediately with her plan to mitigate the risk presented by the nearby street 
as she separates the chi I d from the hazard. I mmedi ate pi ans i ncl ude hoi di ng the chi I d when outsi de to physi cal I y 
prevent the chi I d from neari ng the street . A ddi ti onal pi ans i ncl ude a fence and gate wi th a I ock to provi de a physi cal 
barrier between the child and the street as well as constant monitoring of the child’s outside activity. Over time as 
the child grows old enough, the pi ans progress until eventually including teaching the child about the street and how 
to be safe when near it and even how to cross it safely. All the while, the mitigation plans are being made and 
enacted; the mother tracks the child continually, verifying that the controls that were put in place are always 
effective. The mother is also constantly vigilant and ready to intervene if a weakness is found. While the mother 
has gone through each of the CRM steps and identified, analyzed, planned, tracked and controlled to the extent 
possible the risk the street presents to a child, she has continually communicated with the child the danger of the 
street. Communication of the risk began with physical restraint and stern warnings of the street, then restrictions to 
remain within an allowed boundary as the hazard mitigating barriers were put in place, then later the child was 
taught how to be safe when near a street. 

Example of Complex Systems and Processes Using Basic Rind pies of CRM Applied for the Reduction of Inherent 
Risks (improving the odds): CRM principles and philosophies are used in launching rockets for manned space 
flight. Even though formal tools, systems and processes are used to identify, analyze, plan, track, control and 
communicate, the same CRM principles are used. NASA Space Shuttle Program Manager Wayne Hale has said 
concerning all involved in any way with each shuttle mission, “Our collective job is to understand the risk, mitigate 
it as much as possible, communicate accurately all around about the risk remaining, and then decide if we can goon 
with that risk” (ref.7). ATK Launch Systems Inc. uses this philosophy employing a comprehensive CRM effort in 
managing the risks of a complex system on NASA’s Constellation program, the next generation of manned space 
vehicles presently in the design stage. 

In designing the Ares I First Stage launch vehicle, part of the overall Constellation CLV, the risk management 
process has been employed from the initial design stages. Program and project teams are responsible for identifying, 
analyzing, planning, tracking, controlling, mitigating and communicating risks using a number of risk management 
tool s as depi cted i n Fi gure 2. Ri sk management i s a conti nuous, i terati ve process to manage risk in order to achi eve 
program and mission success, it is a key element and an integral part of normal program and project management 
and engineering processes. 



Statement of risk 


Risk classification 
Likelihood 
Consequence 
Timeframe 
Risk prioritization 


Research 

^Watch (tracking requirements) 
Acceptance Rationale 
Mitigation Plans 


Risk status reports on: 
Risks 

Risk Mitigation Plans 


Close or Accept Risks 
Invoke contingency plans 
Continue to track 


Figure 2 - CRM Process Flow (ref. 8) 

Under theumbrellaof CRM (Figure 3), a complete array of system safety and reliability tools are used by ATK 
Launch Systems to i denti fy risksto fli ght through all life cycl e phases. 



Figure 3 -System Safety and Reliability Tools 

Continuous, Life Cycle Risk Management: Risk-based Design 
Program Risk, Product Hardware Risk, Process Risk, Support Process Risk 
Facility and Process Risk, Supplier Risks, Other Risks 

Risk Management Tools: Fault Tree Analysis, Hazard Analysis, 

Failure Modes and Effects Analysi ^Critical Items List, Probabilistic Risk Assessment, 
Lessons Learned, Brainstorming, etc. 


Risk-based Design: The CRM process used for ATK Launch Systems Inc. Ares I First Stage Project for the 
Constellation program began with risk-based design (RBD). RBD is a structured, formalized methodology in which 
risk consideration becomes an integral part of the initial design process. The objective of RBD is to identify and 
characterize ri sks duri ng the concept devel opment and prel i mi nary desi gn phases and communicate the ri sks with all 
involved. As risks are identified and characterized, planning as to how to handle each risk is accomplished. The 
f i rst effort i s to desi gn out ri sks duri ng these prel i mi nary desi gn phases. I f i t i s not possi bl e to desi gn out risk, risk 
mi ti gati on techni ques are appl i ed to provi de fai I ure tol erance (i .e. redundancy) . When desi gni ng i n f ai I ure tol erance 
is not possible or is prohibitive to the function of the system, efforts are then focused to design for minimum risk 
(i.e. safety factors). If all efforts to address reduction of risk are not able to provide the desired improvement of 
bringing the risk to an acceptable level, decisions are made to determine if there will bean acceptance of risk at that 
present level or if it is “back to the drawing boards” for redesign. RBD involves the integration of design 
engineering and project management with system safety, reliability, maintainability, supportability, 
manufacturability, operability and affordability. Again the key to developing a RBD activity is the integration and 
communication of risk identification and characterization within the design process. The early identification of risks 
provides the opportunity to prioritize the allocation of resources based on the reduction of overall system risk. 
Where applicable, RBD efforts use hazard analyses, fault tree analyses (FT A) and fai I ure modes and effects analysis 
(FM EA). NASA’s Constellation design process includes RBD activities at all design levels from the component to 
the subsystem to the system to the stage or el ement I evel (i .e. A res I Fi rst Stage) to the A res system I eve I (propul si on 
elements) and the Orion system level (Crew elements) to the overall Constellation system. Where dominate failure 
modes cannot be designed out, the design incorporates specific provisions to address the points of risk. Such 
provision may include, but are not limited to, critical inspections, operating constraints, monitoring systems and 
relief provisions. 

Application of Risk Management Tools in Identifying, Assessing. Controlling and Verifying the Risks 

Hazard Analyses: The use of hazard analyses is applied as a primary CRM effort used in an iterative manner. 
Beginning with the preliminary hazard analyses, an examination of the design is provided to identify potential 
hazards and hazard causes at a ti me when the desi gn can be i nf I uenced and adj ustments made to el i mi nate ri sks As 
the design matures, a subsystem hazard analyses is provided with controls that are identified for all residual risks 
that could not be eliminated. The hazard analyses process continues to evolve with verification of controls through 
testing, analysisand inspection of the design features. The hazard analyses become an ongoing examination of risks 
to the flight article through all phases from manufacture through flight and the subsequent refurbishment and reuse 
of hardware where applicable (ref. 9). Included with each hazard analysis is a risk matrix giving avisual depiction 
of the estimation of relative risk with the hazardous condition in each report and the subsequent causes identified. 
The risk matrix used by all Constellation element hazard analyses is defined by NASA in Constellation Project 
document CxP 70038 and serves well as a discussion tool frequently used to fully vet the risk analyzed in each 
hazard report. A similar risk classification matrix with red, yellow and green denoting high, medium and low risk 
(Figure 4) is directed for use in the CRM process by another NASA document, CxP 7201 9. 
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Figure 4- Risk Classification Matrix (ref. 10) 


FTA: Preparation of a FTA of a system is used to identify hazardous conditions and their applicable causes. The 
FTA isasystem safety analysis technique which resultsin the following: 1) a logic tree developed using deductive 
logic from a top-level, undesired event to all sub-events which could occur to cause the top event, 2) a graphic 
representation of the various combi nations of possible events along with the interrelationships of system events and 
their dependence upon each other, and 3) identification of possible cause events and determination of where controls 
shoul d be appl i ed to assure that the undesi red event wi 1 1 not occur . For the A res I Fi rst Stage, the FT A i s devel oped 
to the level of detail at which controls may be implemented thereby reducing the probability of loss of life or loss of 
the Constel I ati on system . The FT A has been used to i denti f y the events, hazardous condi ti ons and the hazard causes 
that are addressed in each of the Ares I First Stage hazard reports. 

FMEA/Critical Items List) : The FMEA is used to identify potential failure modes of a part, component, or 
subsystem and denote those where the occurrence would be critical or catastrophic. The Critical Items List (Cl L) 
provides the justification, frequently termed retention rationale, that explains how each particular failure mode is 
controlled to an acceptable level. Hardware parts, components and subsystems are individually analyzed to 
determine possible failure modes and what occurrences such as process failures, material defects, etc. could cause a 
failure. The resulting worst-case effect of each failure mode is then assessed and documented. Using the 
determined worst-case effects, all items areclassified according to an associated failure criticality. 

Criticality 1 -Sngle failure that could result in loss of lifeor vehicle 

Criticality 1R- Redundant hardware item(s), all of which, if failed, could causelossof lifeor vehicle 
Criticality IS- Failure in a safety or hazard monitoring hardware item that could cause the system to fail to 
detect, combat, or operate when needed during a hazardous condition, potentially resulting in loss of lifeor 
vehicle 

Criticality 2 — Singleitem fail ure that coul d result i n I oss of mi ssi on wi thout I oss of I i f e 
Criticality 2R- Redundant hardware item(s), all of which, if failed, could causelossof mission 
Criticality 3- All failuresthatdonot result in loss of lifeor I oss of ability to complete the mi ssi on (ref. 11) 

For the ATK Launch Systems Inc. Ares I First Stage of the overall Constellation system, the Cl L is documented and 
maintained for all criticality 1, 1R, IS, 2 and 2R failure modes. The CIL retention rationale documents how each 
component, material or hardware item is certified and what design safety margins are included. The CIL retention 
rationale also lists the inspections and tests performed during manufacturing and assembly processes that assure all 
potential failure causes are controlled and that the controls are verified. Each inspection or test listed in the CIL 
retention rationale is given a CIL code. These same inspections or tests with the corresponding CIL code are 
attached to the respective manufacturing test or inspection that is found in the manufacturing and inspection plana 
CIL inspections and tests in manufacturing planning cannot be removed or changed without an assessment of risk, 
changing the CIL retention rationale as applicable, and the subsequent review and approval from ATK Launch 
Systems Inc. management and NASA. Regular audits of manufacturing planning are conducted by a system safety 
engineer to verify that all the inspections listed in the CIL are properly called out in the planning. This process 
ensures that building the Ares I First Stage to desi gn wi 1 1 be repeatabl e and that documented retenti on rati onal e wi 1 1 
assure controls are in place so that potential fail ure modes will not occur (ref. 12). 


Probabilistic Risk Assessment (PRAI: ATK Launch Systems defines PRA similar to others as “a comprehensive, 
structured, and logical analysis methodology aimed at identifying and assessing risks one at a time in complex 
technological system^’. PRA generally used for high reliability failure modes that present significant system 
consequence is targeted at risk environments relative to the system that may involve the compromise of safety, 
inclusive of the potential loss of life, personal injury and loss or degradation of high-value property. PRA has 
become a principal analytical methodology for identifying and analyzing technical and safety risk associated with 
complex systems, projects and programs such as the Ares I First Stage of the Constellation program. The ATK 
Launch Systems, Ares I First Stage Reliability Han says: “PRA feeds into and supports the risk management 
activities by identifying dominant contributors (those events that contribute most to risk) so that resources can be 
allocated to significant risk drivers and not wasted on items that insignificantly affect overall system risk. PRA 
provides a framework to quantify uncertainties in events that are important to system safety. By requiring the 
quantification of uncertainty, PRA informs the decision-makers of the sources of uncertainty and provides 
information that determines the worth of investing resources to reduce uncertainty. PRA differs from reliability 
analysis in three important respects: 1) PRA tends to focus on the evaluation of system failure while reliability 
analysis tends to focus on the evaluation of system success, 2) PRA explicitly quantifies uncertainty while reliability 



analysis nominally considers uncertainty in parameter estimates, and 3) PRA quantifies metrics related to the 
occurrence of highly adverse consequences (e.g., fatalities, illness, loss of mission) as opposed to narrower system 
performance metrics such as system reliability. PRA also differs from hazard analysis, which evaluates metrics 
related to the effects of high consequence and low probability events treating them as if they have already occurred. 
PRA results are directly applicable to resource allocation and other kinds of risk management decision-making 
based on its broader consequence metrics?’. 

The PRA process is helpful in the identification of weaknesses and vulnerabilities in systems that have the potential 
to adversely impact the safety, performance and mission success of the system. Such information provides insights 
for viable risk management strategies for use in the reduction of risk and assists the decision-maker determine where 
the expenditure of resources can most effectively be utilized in improving the design and operation in the most cost- 
beneficial manner. The ATK Launch Systems, Ares I First Stage Reliability Plan also states: “The most useful 
applications of PRA have been in the evaluation of complex systems subject to high-consequence events and the 
evaluation of complex scenarios consisting of chains of less critical or insignificant events, that when combined 
interact in a way that leads to a major system failure. Credible chain reaction failures are difficult to identify. 
Thousands even tens of thousands of such scenarios can be formulated, but which of these are credible? Few tools 
are avail able for such what-if analysis. Of these few tools, PRA analysis is perhaps the most useful”. 

CRM Process: The risk management processfor the Ares I First Stage program within ATK Launch Systems Inc. is 
appl i ed as a means to anti ci pate; mi ti gate and control ri sks and to focus resources where they can be most effecti vel y 
used to ensure overall success of the program. While the risks addressed through the hazard analyses, FTA, 
FMEA/CIL and PRA tools are focused at the end item product, the CRM process is utilized to look at all risks. The 
CRM process has been effectively initiated on the Ares I First Stage program beginning with preliminary design 
concepts and has been utilized for working cost, schedule; technical and safety risks 

Ares I First Stage identified risks are subjected to the CRM process and are characterized utilizing the Ares risk 
scorecard shown in Figure 5. After risks are properly defined and scored, a determination ismadeon the mitigation 
necessary to reduce the ri sk to an acceptabl e I evel . Usual ly ri sks are pri ori ti zed based on thei r rel ati ve standi ng wi th 
other risks as ranked by likelihood and severity scores. The goal of risk management is, asamatter of efficiency, to 
apply resources where they will have the greatest potential of reducing significant program risks With the risks 
scored, the overall significance is easily seen in descending significance from red to yellow then green. At times, 
elevation is required to ensure that significant risks are communicated up the line of management and that needed 
direction or resources are obtained for mitigation. As each risk has an owner, that person is required to monitor and 
update mi ti gati on pi ans showi ng compl eti on or changes as wel I as provi de a status at peri odi c ri sk revi ews. A s the 
risk mitigation plan is being fulfilled, the reduction in risk can be depicted with a waterfall chart as shown in the 
example in Figure 6. In addition to the risk management steps of identify, analyze, plan, track and control, the risk 
management process for complex systems such as the Ares I First Stage program includes some formal 
opportunities for documenting and communicating the risk including: 

• Ri sks are i dentifi ed and documented 

• Si gni f i cant ri sks (red and yel I ow at a mi ni mum) are documented i n the ri sk tracki ng database 

• Each ri sk owner manages hi s ri sks 

• A Risk Management Board (RMB) reviews new and high (red) risks and others needing special attention 
as necessary 

• The RM B el evates red ri sks and those needi ng external resources to the appropri ate enti ty 

Reasons for elevating a risk could be: 1) visibility to provide management insight, 2) a higher level assistance is 
needed from the next higher level of management to share ownership and be able to carry out effective mitigation, 
and 3) coordination is needed with other organizations and stakeholders. The risk owners are the persons that 
i denti f y ri sks requi ri ng el evati on. 



Consequence (Impact) Rating 



Likelihood (Probability) of Occurrence Rating 

Probability 
Rating (P) 

Value 

Description 

Very High 

5 

Qualitative: Nearly certain to occur, requires immediate management attention; controls haws little or no effect 
Quantitative: 10 -2 <P < lO -1 for risks with primary impact on safety or 50% <P < 100% for risks with primary impact 
on cost, schedule or performance 

High 

4 

Qualitative: Highly likely to occur, most cases require management attention; controls haws significant uncertainties 
Quantitative: lO^ 3 <P < 10' 2 for risks with primary impact on safety or 33% <P£50% for risks with primary impact on 
cost, schedule or performance 

Moderate 

3 

Qualitative: May occur, management required in some cases; controls exist with some uncertainties 
Quantitative: 10 4 <P < lO^ 3 for risk with primary impact on safety or 10% <P < 33% for risks with primary impact 
on cost, schedule or performance 

Low 

2 

Qualitative: Not likely to occur, management not required in most cases; controls haws minor limitations/ uncertainties 
Quantitative: 10* <P < 10 -4 for risks with primary impact on safety or 5% < P < 10% for risks with primary impact on 
cost, schedule or performance 

Very Low 

1 

Qualitative: Very unlikely to occur, management not required in all cases; strong controls in place 
Quantitative: P < 10* for risks with primary impact on safety or P < 5% for risks with primary impact on cost 
schedule or performance 
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Figure5- Ares Risk Scorecard (ref. 13) 



Figure 6- Risk Waterfall Chart (ref. 14) 










Summary of Improving Our Odds: Success Through CRM 


While designing a rocket intended to launch humans into space is an extremely complex enterprise and while 
crossing a street is a simple routine effort, both endeavors can and should be preceded with an assessment of risk. 
Fai I ure to do so i n ei ther case coul d I ead to catastrophi c results. Someti mes we fai I to recogni ze ri sk, other ti mes we 
recognize risk but disregard the steps to mitigate it even though the consequences may be significant. The 
application of the risk management process is effective in structuring our efforts to lessen the likelihood and/or the 
severity of risks we face. To persons in different situations* risk management takes on a different emphasis, yet the 
basics are the same. The philosophy and idealsof CRM can be beneficially applied to all situations As noted, the 
risk management structure of identify, analyze, plan, track and control for dealing with risk can be used intentionally 
and in very involved ways or it can be applied subconsciously in simply situations, either way it will improve our 
odds of success 
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A premier aerospace and defense company 


• RISK is always present in everything we do be it a simple act or a major, 
complex operation: 

Crossing a Street 

Video Clip of Man crossing street 
Launching a Rocket 

ATK DVD “Vision - Innovation- Execution” 


• We Can Improve our odds of success through Continuous Risk 
Management 

Risk Management can be used for simple processes in an unconscious manner to 
make us safer. Is almost imperative to use for large enterprises if risk is to be 
reduced to acceptable levels 


• Risk Management is the structure for dealing with risk, be it intentional and 
involved or subconscious and simple. 


• Risk Management is "a discipline for living with the possibility that future 
events may cause adverse effects” 
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A premier aerospace and defense company 


“It ain't what you don't know that gets you into 
trouble. It's what you know for sure that just 
ain't so.” 

Mark Twain 

“You've got to be very careful if you don't 
know where you're going, because you might 
not get there.” 


Yogi Berra 
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Risk Management 


Risk Management PREDICTS, and then mitigates events that could prevent us from reaching our 
objectives. Our other measures of performance look in the “rear-view mirror” to see what 
HAS happened and, therefore, do nothing to prevent risks from coming to pass. 

Risk Management is a culture, a way of doing business, and a duty of all program, functional members and 

stakeholders. It is not a tool, a place, or a person. It is a continuous process shared by all program and 
functional personnel to capture, communicate and mitigate risks over the life of a program or function. 
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The Continuous Risk Management Process 



4 







Improving Our Odds: Success Through Continuous Risk Management (PiTK 


A premier aerospace and defense company 


Risk Management Process 

Identify - find the risks before they can become problems and result in loss or harm. A 
process of realizing the uncertainty for loss or harm 

• Capture the statement of risk in a way it can be described and measured 

• Given the ( condition ) there is a potential that ( risk ) could result in ( consequence ) 

• Capture the context of risk 

• Include additional information relevant to the circumstances 
surrounding the identified risk 

• Communicate the identified risk 


Communicate - Communicate - Communicate 
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Poor 

These risk statements are too general. They are concerns, certainly, but don’t give enough 
specifics to tackle in a meaningful way 

“Given the complexity of the vehicle there is a potential for errors to occur which could result in disaster.” 


“Given the dynamics of the program, there is a potential for inaccurate flow downs and interface breakdowns, 
which could result in costly/evolving changes” 


“Given the overall vehicle complexity, there is a potential for safety or quality disconnects, which could 
adversely affect performance, mission completion or result in system failure.” 

Better 


These risk statements or more specific and will help focus mitigation planning 

“Given the potential for error in the results of the random vibration analysis, there is a potential of 
underestimating the environment, which could result in a failure to verify avionics boxes to their flight 
environment leading to the worst case scenario of flight failure.” 


“Given the potential for errors in the structural dynamics predictions there is a potential for incorrect vehicle 
modes which could result in loss of vehicle (structural breakup, fluid exhaustion, etc). 


“Given that we have specified stages and have not established design to cost metrics, there is a potential that 
the vehicle may carry too high an inert weight to payload fraction, resulting in degraded market potential.” 
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Analyze - process of examining the risk in order to tell the potential extent, severity and 
likelihood 

• Evaluate the attributes of risks 

• Impact 

• Probability 

• Timeframe 

• Classify the risks 

• Grouping of risks based on similar characteristics 

• Prioritize the risks 

• Ranking of risks to define those most significant or those that need the most 
attention 

• Communicate the results or status of the analysis 

Plan - decide what to do with risks and how to go about doing it 

• Plan risk mitigation activities 

• Assign responsibilities 

• Communicate what is happening with the risk and how it is going 






Track/Document - follow the risk and the assigned risk responsibilities, collect more 
information 

• Monitor the risk and all related actions 

• Provide status reports 

• Communicate information relative to the progress of the risk 

Control - executing the risk mitigation activities that will reduce risks to levels where the 
uncertainties (likelihood) and potential loss (severity) are reduced to an acceptable 
level 

• Implement the controls 

• Monitor the controls 

• Communicate the effectiveness of the controls 

• COMMUNICATION is the centerpiece that holds the Continuous Risk 
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Given a c urrent 
condition and 
desired end state 


*** The “Map/D efine” step can use a number of 
tools such as process flow charts, program plans. 
Integrated Master Plans, Design Trees, etc, to 
guide the risk identification effort. 


Identify Risk 


Risk — An event that c ould happ en to prevent me fro m re aching my 
goal. 

Condition — The reason this risk makes you uncomfortable . 
Consequence — The result if the risk event happens. 

Severity — The measure of the magnitude of the effect of the risk event 
(consequence) onCost, Schedule, Technical Performance & Safety. 
Likelihood — The subjective measure of probability that the risk event 
will occur. 


FMEA, PFMEA, FMEC A-type methodology 


Map/Define 
the process — 
ID critical 
features + + + 


For each step - 
feature, define 
6 M’s, 3 W’s 
& Success 
Criteria 


Brainstorm 

potential risks 
for each step- 
feature with 
multi- 
disciplinary 
team 



Assess Risk 

Evaluate risks 


Evaluate Risks 


for probability 


for Synergies 


of occurrence 


and group to a 

1 — ► 

and severity of 


combined Risk 


consequence 


Level 





Periodic 
Program Risk 


Risk Tracker 


Review 




Determine root 
causes of the 
risk 


Mi rig vi te Risk 


Plan actions to 
reduce probability, 
reduce severity, 
plan contingencies 
or further 
understand risk 


Ide ntify and 
Assess Risks 
to the Plan 


Communicate the Risks 
(Reviews , Boards, 
Change Control, etc.) 



Perform Actions 
(Work the Plan) 

1 


Confirm Results 


2/13/07 
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Continuous, Life Cycle Risk Management: 
Risk-based Design 

Program Risk, Product Hardware Risk, Process 
Risk, Support Process Risk, Facility and Process 
Risk, Supplier Risks, Other Risks 
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Advanced Risk Management Tools: Reliability Analysis, PRA, FMEA/RECA, 

FMECA, PFMEA/PRECA, Brainstorming, ETC. 
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Definitions 


Risk - A credible future event that would prevent you from reaching a 
goal or objective - something that could go wrong with a planned 
activity (Problem vs. Risk) 


Risk Level - A combination of the likelihood that a risk will happen, with 
the severity of its consequence if it does happen - Consequences are 
typically categorized as to Safety, Cost, Technical and/or Schedule 


Mitigation - A planned, scheduled and funded action to reduce the 
likelihood or severity of a risk 

(An unplanned, unfunded, unscheduled action is could be called a hallucination) 
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Assess Risks - Likelihood 

Not “worst conceivable case” 

Determination of risk is for “worst credible case” 

Not “best case” (all success type) 

Likelihood / Probability can be either quantitative or qualitative 

Qualitative 

Subjective Evaluation based on a Simple Scale 
i.e. - “Remote” to “Near Certain” “1-5” 

Quantitative 

Probability Risk Assessment (PRA) 

Reliability Analysis 

Event Sequence Analysis 

Statistical Probability based on Historical Data 

Etc. 
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Assess Risks - Severity 


Not “worst conceivable” 

Determination of risk is for “worst credible case” 

Not “best case” (all case success type) 

Severity is qualitative 

If words on card do not match your need, change them 

What is required is a gradation - from minor to catastrophic 

FMECA, HA, PHA, Crit 1, Crit 1R, Crit 2, Crit 3 designations 

are all tools, but still use subjective evaluations (peer reviewed, rigorous 
process) 

Likelihood x Severity (Risk) “number” allows us to place challenges in a gross 
prioritization which is used for resource prioritization 
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Environmental 


Performance 

(mission 

success) 




5 

Very High 

Qualitative: Nearly certain to occur. 

Controls have little or no effect. 
Quantitative: -10-1 

4 

High 

Qualitative: Highly likely to occur. 

Controls have significant uncertainties. 
Quantitative: -10-2 

3 

Moderate 

Qualitative: May occur. 

Controls exist with some uncertainties. 
Quantitative: -10-3 

2 

Low 

Qualitative: Not likely to occur. 

Controls have minor limitations/uncertainties. 
Quantitative: -10-4 

1 

Very Low 

Qualitative: Very unlikely to occur. 

Strong Controls in Place 
Quantitative: -10-5 


Temporary usage Ic 
LOCM of non-flight 


Negligible schedule impact 


CxP 70056, Cx Program Risk Management Plan 
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Why look at Risk Synergies? 


Individual risks can stack up to be more significant than they might appear 
individually 

If only look individually may mis-prioritize and not commit resources 
where they are most critical 

Example 1 : Single poisonous snake in a large yard - risk 

2 nd single poisonous snake (SPS) in a large yard - risk 
3 rd , 4 th , 5 th , 6 th SPS in a large yard - low risk 

6 poisonous snakes in a large yard - low risk to me, I’m 
staying away from that yard together very high risk 

May seem obvious, but six different schedule risk items are often assessed 
as low risk individually. The combination of these can be catastrophic to a 
Program and need to be assessed (appropriate) for mitigation that way. 

Cost risks can be the same. 

Capacity planning can be the same. 
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What should synergy look like? 



8 , 15 , 

31 , 32 , 

33 


6 , 7,10 

11 , 25 , 

28,38 


13,14 9 , 12 , 26 , 

16 , 24 , 27 , 30 , 

34 37, 39 




5 , 23 , 7 , 
25 , 10 , 
28 , 11 , 
29 



8 , 15 , 

31 , 32 , 

33 


13,14 9 , 12 , 26 , 

16 , 24 , 27 , 30 , 

34 37, 39 


Individual Risks 
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Consequence 


Consequence 
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To Mitigate (ALL red risks and red synergies and selected yellow / green): 

A. Understand root cause of risk 

B. Employ ALL of the following: 

1 ) Consider mitigations that reduce either likelihood 

2) Consider mitigations that reduce either severity 

3) Consider mitigations that are reactive to the risk being 
realized i.e. contingency plans (i.e. coming back on line, 
hang-fire planning, recovery after an earthquake) 

4) Analysis actions (define the actions that will enable 
understanding so that mitigation plans can be more 
effective - Informed decision making) 

C. Mitigate risk synergies as required for highest Program benefit 

D. Create a funded, scheduled activity that is tracked as part of program 
plan - risks mitigations are to below red levels - how far below is 

a Program decision 
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What Risk Mitigation is Not 


Analysis doesn’t change risk if hardware, resources, requirements or tools are not 
changed - exception: risk of having an unknown (which generally isn’t useful to 
track except for having a >10% Program reserve at initiation of a properly funded 
Program) 

Getting through a review is not a risk mitigation 

An unfunded, unscheduled, albeit thought-out approach, is not a risk mitigation 

Changing a risk number due to Programmatic / Functional pressures, without new 
data, or merely deciding to accept a level of risk is not mitigation 

Mitigating a direct / immediate cause, without mitigating the root cause is not an 
effective mitigation 

Out waiting the risk item (finding out in test if performance is acceptable) is not a 
mitigation 
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• RISK is present in everything we do be it a simple act or a major, complex 
operation. We can choose to over look risks and manage the consequences 
when they become incidents: 



-OR- 
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We can use the Continuous Risk Management 
Model to Improve Our Odds of Being Successful 
and Avoiding Loss 





